Cyber attacks require a multifaceted defence
Any comprehensive security strategy requires three essential components: protecting the endpoints, protecting privileged accounts, and monitoring the environment continuously.
Once the Protection of Personal Information Act (POPIA) comes into force, and the signs are that this is imminent, companies will face hefty fines if they expose people’s personal information. Alan Campbell, Head of Business Development at Mitigate, says: “Your business is more likely to be the subject of a cyber attack if it holds personally identifiable information.”
Campbell and his team believe there´s definitely a correlation. “We´re seeing a big trend towards ransomware, where cybercriminals shut the whole thing down and the victim has to pay to regain access to their networks and data. In this economic climate, no business can afford to be slack with their IT hygiene; it’s critical for the majority of today´s companies to have access to their IT systems to do business, making them prime targets.”
In the face of determined and ever-evolving cyber attacks, businesses need a multi-faceted approach to their security. “When securing your home, you implement various layers of security. You need to take the same approach to your cybersecurity in order to increase your chances of avoiding a ransomware attack.”
While it´s impossible to completely prevent cyber attacks, it is possible to manage them so that, instead of becoming a large incident and encrypting all of the business´s devices and software, by having the right measures in place, you can prevent the onslaught from spreading across the organisation. The ransomware may still get in and possibly encrypt a machine or two, but it is possible to stop it from spreading and taking over, containing the impact to a limited number of computers.
Campbell says: “Far too often it's the human factor that opens the door to a cyber attack. All you need is for one person to click on a link, but if it can be flagged, you can stop it from happening altogether, or at least stop it from spreading.”
Endpoint detection and response
This is where endpoint detection and response (EDR) comes into play, replacing endpoint protection. He explains: “Endpoint protection was based on definitions and signatures. For decades, viruses were detected by identifying a specific sequence of characters that were then flagged as malware. However, in the region of 350 000 new viruses are coming out every single day. This requires 350 000 new definitions being downloaded to every computer worldwide, on a daily basis. It´s just not possible to keep pace, and the anti-virus software of old has become ineffective at keeping out malware.”
EDR looks at the behaviour of the malware. If it identifies any bad behaviour, regardless of what it´s called, it stops it in its tracks. This is a more effective approach, able to cope with the growing number of new viruses that are being released daily.
However, it doesn´t solve all of your problems, says Campbell, and businesses still need to take an in-depth defence approach to cybersecurity. Nevertheless, he adds, it is a big step in the right direction.
Anti-virus software has a lower success rate than EDR when it comes to preventing ransomware. This is primarily because of the time required to create and distribute updates for anti-virus, whereas EDR uses artificial intelligence (AI) and machine learning to solve it in a matter of seconds.
EDR is far more advanced than traditional anti-virus. It collects a large amount of telemetry data, which can be very valuable in detecting advanced threats. As such, the benefits of using such tools is greatly amplified when operated by highly skilled people to manage and oversee them. Should something happen overnight, you need 24/7 identification and alerting, which is why EDR and security operations centres go hand in glove, says Campbell.
He´s a proponent of a three-pronged approach to security as a managed service. “You need to protect the endpoints, you need to protect privileged accounts, and you need to monitor the environment 24/7/365.”
Privileged account management
Within any organisation there are certain users who require special privileges to perform their functions. These are privileged users. These users need to be protected while they access systems that host sensitive data, and the best way to do this is to control their access privileges until they are required.
“You make privileged accounts unavailable until their rights are required, then assign access to the accounts on a limited basis, and monitor all of the activity," says Campbell. “When the task is finished, you revoke access again.”
For example, if an administrator needs to do something on a system, and requires privileged access, they´ll ask the privileged account management (PAM) system for a privileged account. It will be assigned to him or her. The person logs on to that system, does what they need to do, logs out, and the PAM system immediately revokes that account. Should a cyber attacker get hold of that password, it’s unusable because it simply doesn’t exist anymore. In addition, every activity is recorded and can be searched or played back.
Campbell points out that cybercriminals tend to seek out privileged accounts because they have access to the high-value data. “If you can access those accounts, you can move around the system in the hope of accessing financial data. Whenever you hear about a ransomware attack that affected many devices and servers, the cyber attacker probably gained access via privileged accounts.”
The aim of monitoring is so that you can turn all of those events that your security tools are spotting into events that can be managed and remediated with the appropriate level of attention. Campbell explains: “For instance, if malware attacks a critical host, an incident will be logged and the user will be notified so that they can take remedial action. Depending on the severity level, the user can either attend to the issue immediately (if critical) or as part of operations (if less critical).”
- A severity 1 incident requires that the person drop everything and attend to it immediately because the data could be at risk, such as an attack on a server.
- A severity 2 incident is an attack that could elevate to severity 1 if it´s not dealt with.
- A severity 1 incident is critical to the business, whereas severity 2 is operational.
From a service-level agreement point of view, clients should respond to a severity 1 incident within a matter of hours, while a severity 2 incident can be dealt with in a couple of business days.
Campbell is quick to highlight that the above-mentioned three strategies aren´t the entirety of a security approach, but are nonetheless vital elements of a comprehensive strategy. He says: “First and foremost, you need to secure your endpoints (devices) effectively, using EDR instead of traditional endpoint protection. Then you need to defend your privileged accounts. The third element is to monitor what you´re doing. If you don’t and an attack happens, you may respond too late to stop it.
"Cyber attacks aren´t instantaneous; it takes a while for cybercriminals to find what they want, which means that you have time to monitor, respond and deal with the issue.”
To manage all of this internally is just too complex and too expensive, plus the available skills to do it are few and far between. The answer: Take it out as a service and make sure it’s delivering on the fundamental requirements that allow you to answer the questions: “Am I secure and do I know it?”